This section briefly describes the CC security functionality requirements
(by CC class),
primarily to give you an idea of the kinds of security requirements
you might want in your software.
If you want more detail about the CC’s requirements, see CC part 2.
Here are the major classes of CC security requirements, along with
the 3-letter CC abbreviation for that class:

Security Audit (FAU).
Perhaps you’ll need to recognize, record, store, and analyze
security-relevant activities.
You’ll need to identify what you want to make auditable, since
often you can’t leave all possible auditing capabilities enabled.
Also, consider what to do when there’s no room left for auditing -
if you stop the system, an attacker may intentionally do things to be logged
and thus stop the system.

Communication/Non-repudiation (FCO).
This class is poorly named in the CC; officially it’s called
communication, but the real meaning is non-repudiation.
Is it important that an originator cannot deny having sent a message, or
that a recipient cannot deny having received it?
There are limits to how well technology itself can support
non-repudiation (e.g., a user might be able to give their private key away
ahead of time if they wanted to be able to repudiate something later),
but nevertheless for some applications supporting non-repudiation
capabilities is very useful.

Cryptographic Support (FCS).
If you’re using cryptography, what operations use cryptography,
what algorithms and key sizes are you using, and how are you managing
their keys (including distribution and destruction)?

User Data Protection (FDP).
This class specifies requirement for protecting user data, and is a big
class in the CC with many families inside it.
The basic idea is that you should specify a policy for data
(access control or information flow rules),
develop various means to implement the policy,
possibly support off-line storage, import, and export, and
provide integrity when transferring user data between TOEs.
One often-forgotten issue is residual information protection - is it
acceptable if an attacker can later recover “deleted” data?

Identification and authentication (FIA).
Generally you don’t just want a user to report who they are
(identification) - you need to verify their identity, a process
called authentication.
Passwords are the most common mechanism for authentication.
It’s often useful to limit the number of authentication attempts
(if you can) and limit the feedback during authentication
(e.g., displaying asterisks instead of the actual password).
Certainly, limit what a user can do before authenticating; in many cases,
don’t let the user do anything without authenticating.
There may be many issues controlling when a session can start, but in the CC
world this is handled by the "TOE access" (FTA) class described below instead.

Security Management (FMT).
Many systems will require some sort of management (e.g., to
control who can do what), generally by those who are given a more
trusted role (e.g., administrator).
Be sure you think through what those special operations are, and ensure that
only those with the trusted roles can invoke them.
You want to limit trust; ideally, even more trusted roles should be limited
in what they can do.

Privacy (FPR).
Do you need to support anonymity, pseudonymity, unlinkability,
or unobservability?
If so, are there conditions where you want or don’t want these
(e.g., should an administrator be able to determine the real identity
of someone hiding behind a pseudonym?).
Note that these can seriously conflict with
non-repudiation, if you want those too.
If you’re worried about sophisticated threats, these functions
can be hard to provide.

Protection of the TOE Security Functions/Self-protection (FPT).
Clearly, if the TOE can be subverted, any security functions it provides
aren’t worthwhile, and in many cases a TOE has to provide at least some
self-protection.
Perhaps you should "test the underlying abstract machine" - i.e., test
that the underlying components meet your assumptions,
or have the product run self-tests
(say during start-up, periodically, or on request).
You should probably "fail secure", at least under certain conditions;
determine what those conditions are.
Consider phyical protection of the TOE.
You may want some sort of secure recovery function after a failure.
It’s often useful to have replay detection (detect when an attacker is
trying to replay older actions) and counter it.
Usually a TOE must make sure that any access checks are
always invoked and actually succeed before performing a restricted action.

Resource Utilization (FRU).
Perhaps you need to provide fault tolerance,
a priority of service scheme, or support
resource allocation (such as a quota system).

TOE Access (FTA).
There may be many issues controlling sessions.
Perhaps there should be a limit on the number of concurrent sessions
(if you’re running a web service, would it make sense for the same user
to be logged in simultaneously, or from two different machines?).
Perhaps you should lock or terminate a session automatically
(e.g., after a timeout), or let users initiate a session lock.
You might want to include a standard warning banner.
One surprisingly useful piece of information is displaying, on login,
information about the last session (e.g., the date/time and location of the
last login) and the date/time of the
last unsuccessful attempt - this gives users information
that can help them detect interlopers.
Perhaps sessions can only be established based on other criteria
(e.g., perhaps you can only use the program during business hours).

Trusted path/channels (FTP).
A common trick used by attackers is to make the screen appear to be
something it isn’t, e.g., run an ordinary program that looks like a
login screen or a forged web site.
Thus, perhaps there needs to be a "trusted path" - a way that users
can ensure that they are talking to the "real" program.